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TITLE: Distributed architecture allowing local user authentication and 
authorization 



Brief Summary Text (5) : 

Turning to FIG. 1, one approach for providing network access to a communications 
system 8 over an access point (such as access point 10a, access point 10b, or 
access point 10c) using a communications network 12 is shown. An access point is 
associated with a set of service components and at least one client, enabling a 
subscriber 14 using a host machine 16, such as a personal computer having a modem, 
to obtain access to system 8. As known to those of ordinary skill in the art, when 
referred to in the context of the Internet or other large computer networks, each 
client coupled to an access point provides connectivity to hosts within an area 
commonly referred to as a PoP or "Point of Presence." A PoP is a geographical area 
that is serviced by an access point, which is typically managed by an ISP 
("Internet Services Provider ") . For dial-up access methods using a public switched 
telephone network (PSTN), the geographical area may be defined by an area code. 

Brief Summary Text (7) : 

For dial-up access to network 12, each access point includes a network access 
server (commonly referred to as a NAS) , such as network access server 18. Network 
access server 18 functions as an interface between host machine 16 (via the modem) 
and the necessary services which must be provided when subscriber 14 seeks to 
obtain network access using a dial access method. Responding to a dial-up access 
request typically includes the process steps (sometimes referred to as "states") of 
authentication, authorization, and accounting. These states may be provided by an 
AAA server, such as AAA server 20. AAA server 20 uses the RADIUS protocol to 
communicate with devices, such as network access server 18, which request 
authentication, authorization, and accounting services. 

Detailed Description Text (18): 

Network access events are published during the processing of an access request, 
such as during the allocation of an address by a DHCP server or equivalent service 
component. Because mother cache 74 subscribes to the network access events, it is 
able to maintain an up-to-date set of user records. Network access events are 
published using an access event publisher which collects information related to an 
event to be published and then publishes the event using information bus 72. An 
access event publisher is associated with each access point having a local cache 
and is coupled to information bus 72. Each event publisher publishes a network 
event in response to the completion of a selected step that is performed during the 
servicing of an access request. 

Detailed Description Text (19) : 

In accordance with a presently preferred embodiment of the present invention, there 
are three types of network access events published by an access event publisher. 
The first event may be referred to as an address allocated event that is triggered 
each time an address is allocated in response to an access request. For example, as 
shown in FIG. 2, client 86 supports host 100 that is configured to obtain network 
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access using a dial-up access method. As known in the art, the dial-up access 
method requires procuring a network address in response to an access request which 
has been properly authenticated and authorized by an AAA server, such as AAA server 
112. The network address may be procured dynamically using the services of at least 
one DHCP server, such as DHCP server 114, if the user requesting network access has 
been selected to receive a dynamically allocated address, such as an IP address. 
AAA servers and DHCP servers are .known in the art and will not be discussed in 
detail other than that necessary to disclose the present invention. 

Detailed Description Text (29) : 

A protocol interface allows access requests received from a client to be serviced 
using components that may communicate using different protocols, such as AAA server 
and DHCP server. As shown in FIG. 2, a protocol interface, such as protocol 
interface 95, used by an access point is coupled to at least one client, an access 
event publisher, a AAA server, and a DHCP server, such as client 86, access event 
publisher 82, AAA server 112, and DHCP server 114, respectively. Protocol interface 
95 receives a network access request from client 8 6 and determines the proper 
access methodology required to properly process the network access request. For 
example, if the client relies on a dial-up access methodology, such as client 86, 
then the protocol interface processes the network access request according to the 
dial-up access methodology. This includes sending a request for authentication and 
authorization to AAA server 12 and if authorized, sending an IP address request to 
DHCP server 114. Upon receipt of the IP address, protocol interface 95 forwards the 
IP address to client 86 which, in turn, forwards it to host 100. Receiving an IP 
address enables host 100 to request a log-on session by, among other things, 
sending the IP address to client 86 which, in turn forwards the IP address to 
protocol interface 95. 

Detailed Description Text (44): 

At reference number 234, the access request is then authenticated and authorized, 
and if applicable, a network address, such as an IP address, is procured 
dynamically. As known to those of ordinary skill in the art, authentication and 
authorization services may be procured using the services of a AAA server, such as 
AAA server 112 in FIG. 2, while a dynamically allocated IP address may be procured 
from a DHCP server, such as DHCP server 114. 

Detailed Description Text (46) : 

At reference number 238, the allocated address is received by the client from the 
DHCP server and then relayed to the requesting host, such as host 100. Upon receipt 
host 100 may then respond by transmitting an account start signal, such as an 
account start packet, to client 86. 

Other Reference Publication (7) : 

Rigney, et al., "Remote Authentication Dial In User Service ( RADIUS ) ", Network 
Working Group, RFC 2138, Apr. 1997, pp. 1-57. 
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TITLE: Quality of service allocation on a network 



Brief Summary Text (16) : 

Particular reference is made hereinafter to dynamic address allocation, although it 
should be understood that the invention is not limited to environments with dynamic 
allocation of IP addresses, but also to other environments with, for example, 
dynamic allocation of ports. Dynamic address allocation is provided under a number 
of different environments. Examples of such environments are the Remote 
Authentication Dial in User Service ( RADIUS) and the Dynamic Host Configuration 
Protocol (DHCP ) . A description of RADIUS is to be found in C Rigney, A Rubens, W 
Simpson, and S Willens, "Remote Authentication Dial in User Service ( RADIUS ) ", RFC 
2138, April 1997. A description of DHCP can be found in R. Droms " Dynamic Host 
Configuration Protocol RFC-2131, March 1997. 

Brief Summary Text (27) : 

As opposed to conventional apriori allocation of QoS configuration rules, an 
embodiment of the invention provides an allocation of a QoS in response to 
detection of a new instance of an entity associated with a flow. In this manner the 
QoS can be allocated dynamically as activity for an entity starts. As a result, the 
configuration rules are only created when the flows to which they apply are 
present. Thus they can be allocated dynamically. They can even be based on a flow 
parameter (e.g., a network address or a port) allocated dynamically. A flexible 
mapping of a flow to entity binding to the configuration rules is thereby possible. 

Brief Summary Text (30) : 

Alternatively, or in addition, the detection of a new instance of an entity 
associated with a flow can be achieved in response to a directory event. For 
instance this can be achieved by responding to changes in a directory of a 
directory service resulting from, for example, events such as a DHCP dynamic 
allocation phase or a RADIUS authentication phase. 

Detailed Description Text (11) : 

In one embodiment the network access server 16 forms a network element in the form 
of a RADIUS client for a RADIUS server. The RADIUS client is implemented by a 
directory server 22 in the present example. It should be noted, however, that this 
is but one embodiment of the invention. For example, the network access server 16 
could provide the combined functionality of a RADIUS client and a RADIUS server. 
Indeed, more generally, a network access server need not be provided. For example, 
in another embodiment the network access server could be replaced by a DHCP server. 

Detailed Description Text (13): 

The network access server 16 is thus able to access the directory server for user 

parameters and also to modify information in the directory server. Likewise the QoS 

server 20 is able to access both the network access server 16 and the directory 
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server 22 for information. In use, for example, from user session to user session, 
the user may be dynamically allocated an available IP address by the network access 
server 16. The network access server 16 is then able to access the directory server 
22 to inform the latter and to update the latter with the current information about 
the user. Under LDAP, it is possible to retrieve user profiles using fields of IP 
packet headers and to change the QoS of the information flow(s) from the retrieved 
information . 

Detailed Description Text (18) : 

Alternatively, it may receive a report of such an event from the directory service 
via the directory interface 44. A report from the directory service can be 
generated automatically in response to, for example, a directory entry being 
updated by RADIUS server or a DHCP server (not shown) . Such a directory entry 
update can occur as a result of, for example, the dynamic allocation of a flow 
parameter (e.g. an IP address or port) to an entity, a record of the allocation 
then being made by the RADIUS or DHCP server in the entry for the entity in a 
directory of the directory service. The automatic reporting of the update can be 
pushed to the directory interface by means of a conventional filter arrangement 
and, for example, a replication or other conventional automatic reporting 
mechanism. The directory interface could be arranged to poll the directory service, 
although this would be less efficient. 

Detailed Description Text (65) : 

In a further embodiment of the invention (described with reference to FIG. 6) 
dynamic allocation of IP addresses makes use of directory services to bind a 
dynamic flow parameter or parameters to an entity (e.g. an IP address to a user). 
In this embodiment, the triggering of the Directory Query for the QoS can be in 
response to a user connecting through a RADIUS login phase (or when available 
through the Dynamic Host Configuration Protocol (DHCP ) . This login phase triggers 
the push of an assigned QoS in the QoS server by updating the user entry with the 
dynamically allocated IP address. This can be achieved by, for example, using 
either the LDAP replication mechanism combined with a search for a QoS, or an event 
notification mechanism. Here the directory server used updates the user entry with 
the allocated IP address from an authentication mechanism such as under RADIUS . 

Detailed Description Text (66) : 

Thus, FIG. 6 illustrates a series of events for this further embodiment when a 
potential occurrence of a flow is linked to an identified event such as a login 
phase or dynamic configuration process (using DHCP or RADIUS ) . The disappearance of 
the same flow can also be linked to an event such as a logout phase or dynamic 
resource de-allocation (using DHCP or RADIUS ) . The rules importing the QoS can be 
a-priori installed and removed without the effective detection of the flow (a 
system with resources allocated without an effective use of them) . 

Current US Cross Reference Classification (4 ) : 
709/224 

Other Reference Publication ( 6) : 

"Remote Authentication Dial In User Service ( RADIUS ) ", Rigney etal.,, (RFC 2138), 
Standards Track, pp. 1-65, Apr. 1997. 

Other Reference Publication (7) : 

" Dynamic Host Configuration Protocol ", R. Droms, (RFC 2131) Standards Track, pp. 1- 
45, Mar. 1997. 



34. The network element of claim 26, wherein said at least one parameter of said 
flow includes a network address allocated to said entity. 
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